Janus Chow created RANGER-2976:
----------------------------------
Summary: User can not create external table in Hive Plugin
Key: RANGER-2976
URL: https://issues.apache.org/jira/browse/RANGER-2976
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 2.0.0
Reporter: Janus Chow
A user "userA" want's to create an external table on "hdfs://test/testDir" via
Hive Metastore installed Ranger Hive plugin. Permission information is as
follows.
{code:java}
# id userA
uid=3044(userA) gid=3044(userA) groups=992(supergroup)
# hadoop fs -ls hdfs://test
drwxrwxr-x - userB supergroup 0 2019-01-01 00:00 hdfs://test/testDir
# hadoop fs -ls hdfs://test/testDir
-rw-rw-r-- 3 userB supergroup 1000000 2019-01-01 00:00
hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet{code}
When "userA" is trying to create an external table on "hdfs://test/testDir"
with the following command,
{code:java}
spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS (
path = 'hdfs://test/testDir')")
{code}
Ranger denied the operation with the following error message.
{code:java}
org.apache.hadoop.hive.ql.metadata.HiveException:
MetaException(message:Permission denied: user [userA] does not have [ALL]
privilege on [hdfs://test/testDir])
{code}
The reason is when Ranger is checking URI permission, it will check if the user
has FSAction.ALL on the URI if "userA" is not the owner of the HDFS path, but
HDFS file will not set the execution permission by default, so the Ranger
permission check will return false.
I think in the getURIAccessType function in RangerHiveAuthorizer, we should
return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory, Hadoop
will help us to add FSAction.EXECUTE when we are trying to do the permission
check, we can skip FSAction.EXECUTE here to work well with HDFS files.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
